For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.
replyThe reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).
[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...
Nope. It is still not possible to give someone else (the government, or the bank) control over your phone while at the same time run software that you alone control with higher privileges.
Please don't mix that up with "is practically hard to implement because of sloppy code.
Also your attacker model is still "occasional evil government agency or evil private corporation wants to crack and read your messages", while what is discussed here is more fundamental "evil government or abusive corporation controls your phone in the first place, and can just remote control it you can't use really secure apps"
replyThe software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.
replyYou can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.
reply